Information Security Perimeter

«Challenges companies face when building information
security systems»
Practical Aspects
of Deploying Data Leak Prevention Systems
Based on SearchInform Experience
www.searchinform.com
SearchInform Today
SearchInform Information Security Perimeter (SISP) is
deployed in more than 1500 companies in
Russia, Ukraine, Belarus, Kazakhstan, Latvia, and Lithuania.
The company has its offices in
Moscow, Khabarovsk, Novosibirsk, Yekaterinburg, Kazan, St.
Petersburg, Riga, Vilnius, Kiev, Minsk, and Almaty.
www.searchinform.com
Deployment Department
Information security officers do not actively share knowledge
in the sphere.
However they trust their problems to us. SearchInform experts are like
doctors: we do not spread information, we offer solutions.
www.searchinform.com
Deployment Department
Working with 1500 customers from different business spheres
allowed accumulating a unique database of problem-solving cases.
This database is the answer to
your question “where to start
from?”
100% of DLP solution functionality should be used.
www.searchinform.com
Advantages of Deployment Department
• Manager taking care of your company supports all your
initiatives and solves all your problems.
• You are informed about all recent updates related to SearchInform
Information Security Perimeter (SISP) and its usage .
• All managers are involved in the training program. You will not only learn
how to create security policies for your company’s needs, but also find out
about the pitfalls of security processes and predicted results based on the
examples taken from real life.
www.searchinform.com
Training Center
SearchInform training center has been working since May 2013.
It offers a training course called “Practical application of DLP systems”.
More than 600 people completed the course since then.
www.searchinform.com
Working with Colleges
Quite often college graduates do not
meet employer expectations because
of the lack of experience.
SearchInform participates in the
graduate training program making it
easier for college students to obtain
priceless experience.
SearchInform Information Security Perimeter is available for all
interested colleges for free.
www.searchinform.com
Working with Colleges
SISP is offered to all interested colleges free of charge to train
professionals able to work with the real product.
Odessa, 1
Belarus, 1
Kiev, 4
Ukraine, 6
Lvov, 1
Minsk, 1
Moscow, 9
Twer, 1
Irkutsk, 1
Voronezh, 1
Togliatti, 1
Samara, 1
Ufa, 1
St. Petersburg, 11
Russia, 31
Kazan, 5
Today we work with 38 colleges in Russia, Ukraine and Belarus.
www.searchinform.com
Working with Colleges
Training and certification within our program “Practical
application of DLP systems” helps students successfully start their
career in the sphere of information security.
Students who successfully completed training program are welcome to
participate in our employment fair.
www.searchinform.com
Information Security Should
Promote Business, not Hinder It.
All Data Channels Should Be Open
Very often employees are not allowed to use the most
efficient and popular data channels.
For instance employees can only use corporate email, while instant messengers are banned despite
the fact they could considerably increase efficiency.
A state-of-the-art DLP system should monitor,
analyze, and control leaks of sensitive data over all
possible data channels.
www.searchinform.com
Information Security System
Should Control All Data Channels
“The Wizard of Oz” featured a big scary
wolf protecting the gate of the country from
intruders. Nobody could cross the border.
However the rest of the border was just
painted.
The same with information security: if flash drives are not allowed, confidential
data will leak through e-mail or instant messengers.
Skype has a reputation of being the most secure means of communication.
Being at work employees feel free to use it rather than any other instant
messenger. That is why files and sms, text and voice messages sent over Skype
should be controlled.
Integrated approach to information security is only possible when all
data channels are controlled.
www.searchinform.com
One man doesn’t make a team?
Captured data is useless until analyzed.
Reading all captured data is a rather irrational
way of information analysis. A security officer
may only handle 20-50 employees if
traditional approach is used. And what if there
is a couple of hundreds or even thousands of
them?
SISP offers an extensive set of search engines and automatic data
analysis. This way one security officer can monitor activity of 10001500 employees.
www.searchinform.com
Domain Names
Integration with Windows domain structure helps
accurately identify users even if they use nicknames, free
web mail or other computers.
www.searchinform.com
User Rights Differentiation
With SISP you can configure different access rights for different users.
www.searchinform.com
IT or IS?
We strongly recommend drawing a
line between info technology and
info security departments. Each one
of them has its own objectives.
Employing a qualified information
security officer would be the best possible solution.
www.searchinform.com
Three Pillars of Information Security
• Prevent data leaks
A state-of-the-art DLP system should not only discover data leaks,
but also prevent them at the very stage of malicious intent.
• Keep up with employee moods
A better understanding of your employees is achieved through monitoring
instant messengers, social networks and web blogs.
• Optimize corporate policy
By monitoring employees’ reaction to innovations, you can effectively
update corporate policies and procedures.
www.searchinform.com
SearchInform Information Security Perimeter
www.searchinform.com
System Architecture
All SISP components have a client-server architecture. Server side
incorporates two platforms - NetworkSniffer or EndpointSniffer. Client side
includes applications used to access databases and retrieve information.
NetworkSniffer platform is developed to capture data with the help of a
traffic-mirroring device, i.e. corporate network is not affected in any way.
All data sent over SMTP, POP3, IMAP, HTTP, HTTPs, MAPI, ICQ, JABBER, and
MSN are captured on the level of corporate network. The following products are
offered as part of NetworkSniffer platform:
www.searchinform.com
System Architecture
EndpointSniffer platform is developed to capture data with the help of
agents installed on user computers.
It provides additional control of employees working outside the office.
SearchInform EndpointSniffer collects all data sent or received by users and
transfers it to security officers as soon as laptops are in corporate network again.
Its major advantage is increased failure tolerance. Interception is ensured even if
servers are not available. Data transmitted over secure protocols are also
captured.
EndpointSniffer agents:
SISP Units
Capturing Internet Traffic
SearchInform NetworkSniffer is used to monitor, analyze, and control
leaks of sensitive data over the Internet. All common protocols are
supported, as well as proxy servers: software (Kerio, Squid, etc.) and
hardware (BlueCoat, IronPort, etc.) through ICAP.
MailSniffer
E-mail is the biggest threat to information security. It is used to send
and receive huge data volumes every day. SMTP, POP3, MAPI, IMAP are
supported.
HTTPSniffer
Sensitive data can be posted to social networks and web blogs or sent
through free web mail and sms services.
CloudSniffer
Cloud services are used to store large data volumes. Automatic
synchronization of storages with employee devices poses another threat.
The following services should be controlled: Dropbox, Google Drive,
Office 365, etc.
www.searchinform.com
SISP Units
ADSniffer
Control and analysis of Active Directory Logs allows revealing
suspicious activity of system administrators. ADSniffer monitors
and saves only those events that present potential threat to
information security.
PrintSniffer
This unit monitors documents sent to printing. All information is
captured, indexed and saved to the database. It is stored during
the configured time period.
By monitoring documents sent to printing you can not only
prevent data leaks, but also avoid excessive use of paper and ink
powder.
FTPSniffer
File transfer protocol (FTP) is the most important means of
transferring large data volumes, but it also may be used by
insiders to transfer whole databases, detailed drawings, scanned
files, etc.
www.searchinform.com
SISP Units
SkypeSniffer
SearchInform Information Security Perimeter is the first
solution in the sphere of information security that allows
capturing not only text and voice messages, but also files and
sms sent with Skype.
IMSniffer
IMSniffer captures data sent with instant messenger services.
The following protocols are supported: ICQ, MSN, JABBER,
etc.
ViberSniffer
ViberSniffer is the only solution that allows full Viber control.
Contacts, attached files, voice and text messages are
captured.
www.searchinform.com
SISP Units
DeviceSniffer monitors data stored on removable media (flash
drives, disks, external HDDs) as well as files written to such
devices (shadow copying). All information written to external
devices can be encrypted. This way you will be able to avoid
leaks of huge data volumes that insiders will save to removable
media due to the impossibility of sending it over the Internet.
MonitorSniffer is used to capture screenshots, record user
screens and save information in the database. Real time control
of one or several user screens is supported, as well as control of
users working over RDP (Remote Desktop Protocol).
www.searchinform.com
SISP Units
FileSniffer controls shared network resources storing huge
volumes of confidential data not intended for exposure
outside the company. These resources may be used for
malicious purposes. SearchInform FileSniffer allows controlling
all file operations on shared network resources.
IWS (indexing workstations) allows monitoring whether
sensitive data were copied, moved, deleted on user
workstations. By monitoring user workstations you will be
able to detect employees who are going to expose sensitive
information to third parties.
www.searchinform.com
More than DLP
Restricted folder was accessed by somebody else? What was he/she
doing? Copying, deleting or just looking for something? Mystery?
No!
Do you know what your system administrator does at work? What
accounts he created? What rights were changed? Did he delete accounts of
dismissed employees?
You may be aware of much more! FileSniffer together with ADSniffer
ensures comprehensive control of IT department.
SISP Applications
Prevention of data leaks through laptops
SearchInform provides fully fledged control of
laptops outside corporate network.
Endpoint agents are completely unnoticed to users. Even skilled
engineers will hardly be able to detect them running. As soon as installed,
they start collecting and sending data to security officers.
In 2013 we launched MicrophoneSniffer, a
supplementary solution used to record employee
conversations.
www.searchinform.com
Monitoring Laptops
One company surprised its employees with 150 new laptops
ordered for top and mid-level managers. Soon corporate generosity was
paid off in spades.
Within three months since the laptops were received employees did not draw a line
between private and working matters any more. Corporate laptops were used home and
at work which ensured considerable flow of important data. As a result security officers
detected several fraud schemes.
Laptops may be quite useful for business not only because of the shape
factor, but also in terms of information security.
www.searchinform.com
Who Controls Supervisors?
It may be quite difficult to monitor system administrators’
work. Doing it unnoticed to people whose work is directly connected
to IT is close to impossible. However, the problem needs to be solved
– system administrators’ activity is the basis of information security.
The best option when controlling IT services is in-time
detection of suspicious activity.
If system administrator assigns more permissions to the account and after a while
returns to previous settings, this should give pause for thought.
If system administrator frequently reads confidential documents, this should give
pause for serious thought.
www.searchinform.com
Who Controls Supervisors?
Negligence is another issue.
After employee is dismissed system administrators
must block access to his/her corporate email box,
domain account, CRM, etc.
Despite that quite often ghost employees are bred:
accounts of former employees remain active, internal
correspondence is sent to corporate email box, etc.
This may lead to leaks of confidential data.
www.searchinform.com
Improving Performance
Responsibilities of security officers are not limited to catching insiders
and writing reports. Having the right tool at their disposal security
officers may solve multiple tasks and gain profit, and not just minimize
losses.
www.searchinform.com
SISP Applications
Worktime monitoring
Alongside with protecting sensitive data and fighting malicious attacks
security officers have to reveal non-efficient employees.
ProgramSniffer offered as
part of SISP faces the
challenge.
It
creates
reports on
•
•
•
•
arrival and leave time
real work performed
applications use statistics
time spent on web sites
www.searchinform.com
Lazy Flu
Being at work does not guarantee your employees will attend to their direct
responsibilities.
Symptoms of lazy flu:
•
•
•
•
•
Social networks;
Entertainment resources;
Online games;
Smoke brakes;
Laziness.
Inefficient time usage causes greater damage to companies than you may first
think.
www.searchinform.com
The Problem Should not be
Underestimated
Lazy flu rapidly develops in three directions:
Consequences to business:
• Direct losses just because employees
mind their own business during
working hours
• Contaminates other employees. If he
does nothing, why should I work?
• Less profit
www.searchinform.com
Improving performance
Automate control
Efficient
Assign supervisor
Not efficient
Control on your own (look over the shoulder, make screen
captures, look through browser logs, etc.)
Expensive
Not expensive
www.searchinform.com
Hardware
In recent years data leak prevention strategy has been focused on
virtual space. However, old-fashion ways may still be effective.
www.searchinform.com
Data Leaks and Preventive
Measures
www.searchinform.com
Incoming Secured Gmail Correspondence
Many employees use their Gmail boxes despite corporate security
rules. Being sure Gmail is protected they may use it for non-workrelated purposes.
SearchInform allows controlling two sides correspondence, and not
just e-mails from one party. Even if employees use their smartphones,
as soon as they open their mail boxes from corporate computers, all
correspondence will be captured.
www.searchinform.com
Monitoring Personal Email
A few years ago SISP detected suspicious email of HR manager from
competitive company. It was sent to the personal email of technical
support engineer to explore the situation. Her next email was already
offering interview with production coordinator.
www.searchinform.com
Monitoring Personal Email
You should also pay attention to emails with statements and confirmations
sent by banks your company does not work with. Huge difference between
official and real income should arouse suspicions.
www.searchinform.com
Data-Leak Incidents and
Preventive Measures
Alternative Business Schemes
If the search returned Articles of
Association that has nothing in
common with your company, then
perhaps someone of your employees
has organized an alternative business
scheme.
www.searchinform.ru
Video
Not so long ago one of the purchasing companies faced a fraud scheme
developed by one of its employees. Instead of collecting price quotes, she
agreed for kickback with one of the companies, while other companies’
price quotes were photoshoped. This created impression the needed price
quote was better than the others, although it was far from that in reality.
Fraudster was detected after watching video captured by MonitorSniffer.
www.searchinform.com
Video
www.searchinform.com
Audio
Voice recording is needed not only to improve QoS, but also to
control employees suspected of fraud. During negotiations sales managers
may make their own arrangements with clients.
www.searchinform.com
Social Networks and Web Blogs
Company matters are often discussed in social networks and
web blogs. Sharing company’s internal information may affect
its public image and client opinion.
www.searchinform.com
Dismissed\Offended Employee
Communication with dismissed employees presents potential threat of driving away
workforce. Just imagine the situation: your employee leaves the company and then
communicates with former colleagues, finds out confidential information, tells about
perfect conditions at his/her new place and sais how wonderful it would be to work
there together.
www.searchinform.com
Data Leak Prevention
With SISP you will always know who your employees communicate
with and reveal opinion shapers.
Disloyal Employees
Employees start browsing job search web sites before making
CVs. Employees may not send anything, just look through job openings. It
is important to detect facts of sending CVs and visiting job search web sites.
www.searchinform.com
Disloyal Employees
Dissatisfied employees who are not planning to leave the company.
They may be offended by anything or anybody: top management, salary,
position, etc.
May be detected by their negative attitude to
events.
If there are no events – create them.
Dissatisfaction may entail desire to leave the
company.
Misinformation helps reveal disloyal employees at an early stage.
www.searchinform.com
Risk Group
Employees attributed to the risk group are not insiders or disloyal
employees, but may become such ones in certain circumstances.
Risk group includes:
• Dependent employees (alcohol, drugs, etc.);
• Employees with financial problems (debts, loans, etc.);
• And many more…
Risk group employees may be manipulated and blackmailed.
Risk group may include more employees than you think.
www.searchinform.com
Risk Group
We created dictionaries to detect conversations related to particular
spheres of life.
When working right with the risk
group you may increase loyalty of
your employees.
www.searchinform.com
Loose Lips Sink Ships!
Loose lips sink ships!
One Siberian bank was planning a new
credit line. Lots of time and effort was
spent on that: 3 months of surveys,
financial expenses, and …
two days before launch it turns out that competitive bank started a similar program.
This aroused suspicions… Internal investigation made with the help of SISP showed
it was the fault of one of the employees. Although he left the company long ago, he
kept communicating with former colleagues and they told him everything in
friendly conversations.
www.searchinform.com
Data-Leak Incidents and
Preventive Measures
Synonym Dictionaries
Together with one of the city
councils SearchInform Ltd. has
worked out a synonym dictionary
to find conversations related to
bribery.
If specific words, e.g. money, cash, franklins, booty etc. are found,
security officers will be immediately notified about it.
www.searchinform.com
Data-Leak Incidents and
Preventive Measures
Printer
A company producing large
volumes of grocery products found
out
a
significant
difference
between the products shipped and
the products stored at the endseller’s warehouse.
PrintSniffer helped discover illegal output of products organized by a
group of employees which became possible due to printing invoice
duplicates.
www.searchinform.com
Data-Leak Incidents and
Preventive Measures
Monitoring ICQ and User Workstations
A large flow of negative comments in
instant
messengers
or
social
networks can be a hard blow to the
company’s reputation.
By analyzing instant messages of your employees, you can adjust your
corporate security policy and avoid harmful consequences.
www.searchinform.com
Data-Leak Incidents and
Preventive Measures
Swearing
Swearing + names of top
managers gives food for thought.
www.searchinform.ru
Data-Leak Incidents and
Preventive Measures
Any company has its own secrets to protect.
It is crucial to monitor LAN activity and access to
documents containing
 last names of employees;
 business partners data;
 products description.
www.searchinform.com
Data-Leak Incidents and
Preventive Measures
Some employees should be included in the risk group:
1. Employees who breached security policies even once
2. Employees who use various tricks, i.e. change file extensions,
send password protected archives, etc.
3. Employees who post negative comments about company and
top management in social networks and web blogs
4. Employees who all of a sudden started shirking work
5. Employees who operate cash flows and mid-level managers
www.searchinform.com
Data-Leak Incidents and
Preventive Measures
Common Practice
 Monitoring communication with dismissed employees
 Monitoring so-called opinion shapers and bursts of activity
 Monitoring activity of 1-2% of staff
www.searchinform.com
DLP Solution Efficiency
DLP solution is not a universal panacea, but an effective tool used to
monitor, analyze and control leaks of sensitive data.
Based on our experience efficiency of DLP solution is measured by the
number of dismissed employees.
On average their number reaches 0,2-1% of the total amount within the
first 3-4 months after SISP deployment.
www.searchinform.com
SISP Advantages
1. Easy to integrate. You will only need several hours to install SISP.
Company’s information systems will not be affected in the process of
system integration
2.
End-to-end solution. All data channels are controlled, including e-mail,
instant messengers, Skype, social networks, iPads, and iPhones, printers,
etc.
3.
Similar-content search. This search type allows finding documents similar
in content or meaning to the queried ones. High search precision helps
increase efficiency and save on labor expenses
4.
Integration with Windows Domain Structure allows accurate user
identification
5.
Extended search possibilities help effectively protect sensitive data. One
security officer can monitor 1000-1500 workstations
www.searchinform.com
Why DLP is a must?
1.
It is not expensive. As a rule, the cost of DLP solution equals
the cost of corporate tea, coffee, and corporate NY party for
one employee.
2.
Quick payout. On average, a data leak costs around 2.7M
USD to the information owner.
3.
A matter of urgency. Information security permits of no delay
just like when your entrance door is broken.
4.
Sensitive data is more expensive than the computer where it
is stored. It seems reasonable to spend as much for information
security as for SW and HW.
www.searchinform.com
Thank you!
www.searchinform.com